CVE-2026-5007
OS Command Injection in kazuph mcp-docs-rag cloneRepository Function
Publication date: 2026-03-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kazuph | mcp-docs-rag | to 0.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5007 is a command injection vulnerability in the mcp-docs-rag project, specifically in the add_git_repository and add_text_file tools. The issue arises because these tools use Node.js's child_process.exec function unsafely by directly embedding user-controlled inputs such as repository_url, subdirectory, and file_url into shell commands without validation or sanitization.
Since exec runs commands through a system shell, malicious inputs containing shell metacharacters (like ;, &, |) can be interpreted as additional commands, allowing an attacker to execute arbitrary commands on the host system with the privileges of the MCP server process.
The vulnerability requires local access to perform the attack, and a proof-of-concept exploit is publicly available. The vulnerable code is located in src/index.ts at specific lines where user inputs are concatenated into shell commands.
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access to execute arbitrary operating system commands on the MCP server host. The impact depends on the privileges of the MCP server process but can include unauthorized data access, modification of system files, and potential privilege escalation.
Successful exploitation could lead to full system compromise, data breaches, or disruption of services provided by the MCP server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the command injection flaw in the add_git_repository or add_text_file tools of the mcp-docs-rag server. Specifically, you can test if user-controlled inputs such as repository_url or file_url are unsafely passed to shell commands.
A practical detection method involves using the MCP Inspector tool to connect to the running MCP server and inputting a malicious parameter containing shell metacharacters to see if arbitrary commands are executed.
For example, a command injection test could be performed by providing a repository_url like: https://github.com/kazuph/mcp-docs-rag&whoami > poc.txt
If the server executes the injected command, it will create a file named poc.txt containing the output of the whoami command, confirming the vulnerability.
No specific network commands are provided, but monitoring for unexpected shell command executions or suspicious file creations (like poc.txt) on the host system can also indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the use of Node.js's child_process.exec function with execFile or execFileSync, which execute commands without invoking a shell and accept arguments as an array, preventing shell interpretation of user inputs.
Additionally, implement strict input validation and sanitization on all user-supplied parameters exposed to MCP clients, especially repository_url, subdirectory, and file_url, to prevent injection of shell metacharacters.
Employ parameter separation and proper escaping techniques to ensure that user inputs cannot be interpreted as additional shell commands.
Since the vulnerability requires local access to exploit, restrict local user permissions and monitor for suspicious activities related to the MCP server process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary commands on the MCP server host, potentially leading to unauthorized data access and system modification.
Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.